Description

WordPress Plugin WishList Member X is prone to a remote code execution vulnerability because it fails to sufficiently sanitize user-supplied input. Successful exploitation may allow attackers to execute arbitrary commands with the privileges of the user running the application, to compromise the application or the underlying database, to access or modify data or to compromise a vulnerable system. WordPress Plugin WishList Member X version 3.25.1 is vulnerable; prior versions may also be affected.

Remediation

Disable and remove the plugin until a fix is available

References

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wishlist-member-x/wishlist-member-x-3251-authenticated-subscriber-remote-code-execution

Related Vulnerabilities

WordPress Plugin WPBakery Page Builder Cross-Site Scripting (6.4.0)

WordPress Plugin Custom Website Data Cross-Site Request Forgery (1.2)

WordPress Plugin All-In-One Security (AIOS)-Security and Firewall Directory Traversal (5.1.4)

Apache HTTP Server Other Vulnerability (CVE-2003-0017)

Envoy Proxy Improper Encoding or Escaping of Output Vulnerability (CVE-2024-45808)

Severity

High

Classification

CVE-2024-37109 CWE-94 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update Code Execution